I have a URL with a query param like: www.example.com?src=%27};alert(1);a={%27%27:%27. I want to clean up the URL when the request gets made and return it to the browser without the javascript alert evaluating. By "clean up" I mean: remove html tags, invalid characters, and characters that can potentially evaluate in the user's browser.
This is what I'm thinking and please correct me if I'm thinking about this incorrectly: when the request is made, catch it in the middleware and then send back a cleaned up version of the query params (maybe redirect the user).
I'm not sure if PHP supports this? I thought I could override the query params in $_GET and assign the src param with the cleaned up value but that doesn't seem to be working. I've also tried overriding $_SERVER['QUERY_STRING'] but that also doesn't work.
What's the best way to handle something like this in PHP?
Related
Assume a page with multiple HTTP request parameters filter=on&page=4 and so on. Those parameters are injected in the search form.
I need to have a button outside of the form that keeps the parameters, but adds another one download=csv into it. And that has to be done in the Blade template file, not in the php file (no $request variable available).
Something along the lines of this:
Download
But the code above doesn't seem to work. It doesn't return the URL with the parameter in it. It just returns the URL that was prior to that, aka the injection doesn't happen.
Try something like this
Download
I have a listing with some filters which are applied on form submit, using GET as form method. So after submit, I get a url that looks like:
/listing?filter_1=a&filter_2=&filter_3=c
Notice that filter_2 is empty. How can I avoid showing it in the URL in this case? I would only need the URL to be like this:
/listing?filter_1=a&filter_3=c
I would not mess with $_GET and I wonder what is the right way to do it with Laravel 4.
Thank you
During making of url, you need to check the value of variables whether it has empty or null or have some value. Then add those varibale into the url, so that your url will be clean.
to achive this you will be required to use Laravel - pretty URls functionality and make some changes in Route::get function to remove empty parameters while construction url.
I'm kind of a noob at this stuff.
But I've been browsing around and I see sites that are kind alike this
www.store.com/product.php?id=123
this is really cool. but How do I do it?
Im stuck using something like this
www.store.com/product/product123.php
If you could tell me how I can go about do this it would be awesome!
What you're looking at is a $_GET argument.
In your PHP code, try writing something like this:
$value = $_GET['foo'];
Then open your page like this:
hello.php?foo=123
This will set $value to 123.
You need to use the $_GET here.
if you use the following:
?id=123
then this will be how to use it and the result
$_GET['id'] (returns the 123)
You can use as many $_GET arguments as you need, for example:
?id=123&foo=bar&type=product
$_GET is an array of what parameters are in the url, so you use it the same way as an array.
Create a file called product.php with this code:
<?php
echo "The argument you passed was: " . $_GET['id'];
?>
Now run this URL in your browser:
http://<yourdomain>/product.php?id=123
and you will understand how $_GET works.
Those are called URL parameters (what they're contained in is called a query string), and they're not unique to PHP but can be accessed in PHP using the $_GET superglobal.
Similarly, you can get POST parameters using the $_POST superglobal, though in POST requests, these parameters are not appended to the URL.
Note: Generally, for usability purposes (and thus also SEO purposes), you want to avoid using query strings as much as possible. These days, the standard practice is to use URL rewriting to display friendly URLs to the user. So your application might accept a URL like:
/products.php?id=32
But the user only sees:
/product/32
You can do this by using mod_rewrite or similar URL rewriting capabilities to turn the friendly URL into the former query string URL internally, without having the user type out the query string.
You might want to have a look at the documentation at www.php.net, especially these pages: http://www.php.net/manual/en/reserved.variables.php
Specifically, have a look at $_GET and $_POST, which are two frequently used ways to transmit information from a browser to the server. (In short, GET-parameters are specified in the URL, as in your question, while POST-parameters are "hidden from view", but can contain more data - typically the contents of forms etc, such as the textbox you posted your question in).
I have a form with an input field that accepts url.
Everything works fine until someone tried submitting a url with url encoded elements. The url looks something like that
http://example.com/a=xx&b=%23yy
I am receiving this string as http://example.com/a=xx&b=#yy
Even before any form verification, $this->input->post('url') decoded the url encoded elements. I need to receive it exactly as entered.
I tried with a regular and multipart form.
Any idea what is causing that?
Did you put XSS filtering to TRUE globally in application/config.php?
$config['global_xss_filtering'] = TRUE;
If so you can disable the filtering by setting the optional parameter like this:
$this->input->post('url', FALSE)
Also check to see if the "Allowed URL Characters" in application/config.php is sane.
I would also play around with URLEncode/decode both client- and serverside.
Maybe CodeIgniter's input class have some magic in it. Try to print_r your $_POST directly. Does that url get unaffected there?
I'm trying to make a bookmarklet that will take the URL of the current page you are on, and send it to an application written using CodeIgniter.
The problem I keep running into is that I can't do a standard AJAX call, because it's cross-domain. It is disallowed, and I can't figure out a way to use the JSONP via $_GET method since CodeIgniter blows away the $_GET parameter.
At this point I'll take any suggestions on how to do this. Please note that I need to send a URL, and if it's to be passed via a URL itself it obviously needs to be encoded or something. This I also haven't figured out how to do, so any pointers on that end would be appreciated as well.
Codeigniter unsets $_GET but you can get the data from the query string. It is a little inefficient because PHP will probably end parsing the query string twice, but it should work:
parse_str($_SERVER['QUERY_STRING'], $get);
print_r($get);
All the GET variables should be accesible in the variable $get. See parse_str() documentation for some more information.
As an alternative you could url-encode the current URL and append it to what you are requesting e.g.
var url = 'http://example.com/bookmarklet/'
+ encodeURIComponent(window.location);
Then in Codeigniter do something like:
//you might have to call urldecode() on this value
$url = $this->uri->segment(0);
but you may find you then have this problem
It is possible to enable query strings in Codeigniter, but watch out for the caveats - you can't use the URL helper, for example.